Information security analytics

Massachusetts’s new data security regulations, effective as of March 1, 2010, currently set forth the country’s most stringent requirements for protecting data. Extending beyond what is required by other states, Massachusetts specifies that, for example, covered entities must implement a written information security program and must encrypt personal information that will be transmitted over the Internet, or that is kept on laptops and other portable devices.

Amendments to the Personal Information Protection Act (PIPA) were proclaimed in force on May 1, 2010, and added a new requirement for organizations to notify the Information and Privacy Commissioner of incidents “involving the loss of or unauthorized access to or disclosure of personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual.” PIPA was also amended to give the Commissioner the power to require organizations to notify individuals to whom there is a real risk of significant harm as a result of such an incident

The Knesset Web site committed a major security lapse several weeks ago by publicizing the names of high-level Mossad and Shin Bet officials whose identities are kept secret by law. The security breach comes after a similar error last year exposed information on some of Israel's most sensitive, defense-related technological systems, Haaretz has learned. Memoranda from the meetings of Knesset committees and other government bodies are routinely posted on the Knesset Web site.

Michael Adkins of Collas Day summarizes amendments to the Data Protection (Bailiwick of Guernsey) Law. According to Wikipedia, Guernsey is a possession of the UK and not part of the UK nor part of the EU. Of particular interest in their amendments:

The Supreme Court will soon hear arguments in City of Ontario v. Quon, an important Fourth Amendment case involving the privacy of electronic communications in the workplace.

The California Senate has approved a bill that would update the state's pioneering data breach notification law, the lawmaker who introduced the legislation announced Friday. The bill from Democratic Sen. Joe Simitian is a reintroduction of the same measure that he proposed last year, but which was ultimately vetoed by Gov. Arnold Schwarzenegger.

Here are 95 breach reports between January 1, 2010 and April 12, 2010. The following are organized by sectors. Of particular note in this batch, it appears that the Tropical Supermarket chain was hacked. Since these reports were first received April 12, there may be more to come. Healthcare Sector: 6 reports:

The state of Virginia has passed a breach notice law requiring notice of security breaches involving medical information. Medical information is defined in the Virginia law as follows: "Medical information" means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted:

Yesterday, Mississippi Governor Haley Barbour approved Mississippi's first breach notification law, House Bill 583, leaving only four states without a notification law (Alabama, Kentucky, New Mexico, and South Dakota).

InfoWatch analytic center reports, a company that guarantees federal student loans said Friday that personal data on about 3.3 million people nationwide has been stolen from its headquarters in Minnesota. Educational Credit Management Corp. said the data included names, addresses, Social Security numbers and dates of birth of borrowers, but no financial or bank account information.